ACS 4.2 Conditional authentication??

Unanswered Question
Dec 14th, 2009
User Badges:
  • Bronze, 100 points or more

Hi All,


Does ACS have any way of saying "If a user is authenticating to deviceA, use externalDB1 for the password, but if they are authenticating to deviceB, then use externalDB2"?

An example of how this is practical is that our security policy dictates that users have a seperate password for their VPN account vs their AD account. Idea being if their VPN password is compromised, they can't log into any other machines or if a users AD password is compromised, it cant be used for remote access. The users authenticate to ACS via RADIUS from the VPN device, what if that user needs to authenticate to a router as well via TACACS, which also talks to ACS... and their permitted to use their LDAP / AD password to access the routers etc. I'd like requests from the routers for user A to use LDAP, but requests from the VPN device for user A to use a local ACS username / Password.

The only way around this that I know of is to use a seperate username for VPN access, like userAvpn, and have a local username / pw in ACS for userAvpn. I want to keep as much authentication centralized as I can, it makes logging and management easier, but ACS doesn't seem to want to play nice...

Is this somthing ACS 5.1 can do?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smckenzie1 Tue, 12/15/2009 - 03:49
User Badges:

Hi,

After applying patch 13 to our ACS SE 4.2 we found the enhancement for the need to select the database of tacacs at a device level was added (CSCsq58224). Therefore for a NDG we can use a default method to authenticate the users for all devices and then for device A within that same NDG select an external db (such as Windows) to authenticate the users.


The section 'Tacacs+ login/enable authentication' now appears within the AAA client configuration after applying the patch.


Hope this helps.

Actions

This Discussion